I don't have any experience with the specific firewalls mentioned, so I will
limit my discussion to general comments.

First about the .exe requirements mentioned by UPS. The techie who suggested
this probably thinks you have a personal firewall like ZoneAlarm on the
machine and not a network gateway device. Those firewalls allow access based
on which executable app is requesting the connection in addition to the
normal rulesets. Since the software works when the user took the computer
home, there is definitely no personal firewall problem.

The rest of my suggestions are general to most firewalls.

It sounds like the SOHO3 was running a generic permit all traffic from
inside to outside while the TZ170 probably has a deny-all allow specific
ruleset from inside to outside. A lot of the discussion on this list has
been about the differences and which is preferable.

Since UPS doesn't appear to be very helpful, the only way to find out what
needs to be opened up is to look at the logs to see what is being denied by
what rule when the software attempts to connect to the UPS network. Try it a
number of times to see if it uses the same destination ports or wanders up
and down a range of ports.

Hopefully someone else on the list has had experience with the application
and knows that needs to be opened, but if not, then this methodology should
assist in finding out what is needed besides the simple yet insecure method
of adding a rule to allow the laptop to connect to any port through the
firewall.

I have upgraded my Sonicwall SOHO3 to TZ170 a couple
of weeks back for my small office network.

Everything seems to be working fine except for one
laptop which accesses UPS (United Parcel Service)
Worldship network.

As its description from the UPS website. UPS
WorldShipR is a full featured, WindowsR-based,
shipping software application for customers with high
volume shipping needs. WorldShip allows customers to
accelerate, streamline and enhance not only their
shipping processes, but financial and customer service
processes as well.

When we first installed the program in one of the
laptops, it seems to be working fine with the SOHO3
firewall.

And when, we upgraded to the Sonicwall TZ170, that's
when the problem started to set in. We were told by
UPS technical support since we have upgraded a
firewall appliance, the firewall rules may have
blocked inbound and outbound communication between our
small office network and UPS's network.

Furthermore, we were told that we need to enable
support for gethostip.exe, shipups.exe, upslnkmg.exe
alongside allowing access for 153.2.x.x network.

Since I don't see any documentation on this Sonicwall
TZ170 to do the adding of .exe files to the firewall
that supports this method.

I am uncertain though, whether my firewall rules have
something to do with it? AFAIK, other services such as
mail, terminal services are working fine except for
this one.

One odd thing that puzzles me is that if my boss
brings this laptop to his house and connect it to his
Home network through his router, he could connect to
UPS and be able to do work and send info in a
bi-directional manner.

Whereas, if he returns to the office he gets an Error
Code 53670 which according UPS has something to do
with our firewall and dns resolution.

I have attempted and failed to enable this feature and
am hoping that maybe someone may have encountered this
problem in the past who may have the solution.

Relevant Pages

Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?... >The whole reason NAT was implemented was because of a very finite number of publicly routable IP addresses. ... The first firewalls I built offered NAT (inherent in the design and then later via ... "Proxy transparency" in Gauntlet) because a lot of the early firewall customers... re-address their network or NAT ...(Firewall-Wizards)

RE: [fw-wiz] Firewalls v. Router ACLs... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...(Firewall-Wizards)

[fw-wiz] IDS/IPS and LOGS... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack.... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...(Firewall-Wizards)

Re: Establish persistant outbound connection for covert application... which firewalls are running etc.) and then communicate its ... the actual network layer.... They do have 2 network interfaces in case I want to chain them between a PC ... They also have a wireless interface so I can hook into the machine if I am ...(Security-Basics)

Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)... but today's firewalls let too much stuff back ... > why people feel they need to compromise.... Last spring we completely re-engineered the network for a large school ... All these segments are set up on separate VLANs and communicate with each ...(Firewall-Wizards)